•An ASP provides hosting for banks, credit unions, andother financial services companies. ASPs are attractivetargets becauseinstead of focusing on one back ata time, an attack couldcompromisedozens/hundreds/thousands at a time

with the samevulnerability.

•The banking application had three important URLparameters:client_id, bank_id, and acct_id. To theASP, each of their clients has an unique ID, eachpotentially with several different banking websites, andeach bank having any number of customer bankaccounts.

No idea how to begin to estimate theDefender need, but it’ll be in the tens ofthousands at least. Considering the vastnumber of website assets that must beprotected, the 1 billion online users whosomeone needs to ensure are playingnice, and monitoring the serious volumeof Web traffic they generate.

•Business Wire provides a service where registered websiteusers receive a stream of up-to-date press releases. Pressreleases are funneled to Business Wire by variousorganizations, which are sometimes embargoed temporarilybecause the information may affect the value of a stock.

•Press release files are uploaded to the Web server (BusinessWire),but not linked, until the embargo is lifted. At such time, thepress release Web pages are linked into the main website andusers are notified with URLs similar to the following:

•And, while links might not yet exist because the embargo wasin place, it didn’t mean a user couldn’t guess at the filenameand gain access to the file. This method worked becausetheonly security check Business Wire conducted was toensure the user was properly logged-in, nothing more.

•According to the SEC, which began an investigation, LohmusHaavel & Viisemann profited over$8 million

by trading on theinformation they obtained.

39

A Ukrainian hacker breaks into ThomsonFinancial and steals a gloomy resultsannouncement for IMS Health, hoursbefore its release to the stock market ...

•Hacker enters ~$42,000 in sell orders betting the stock will fall

•The stock fell sharply making the hacker ~$300,000

•Red flags appear and the SEC freezes the funds

•Funds are ordered to be released,“Dorozhko’s alleged‘stealingand trading’

or‘hacking and trading’

does not amount to aviolation”

of securities laws, Judge Naomi Reice Buchwald

•The Times speculates that the DoJ has simply deemed the casenot worth pursuing-

probably due to the difficulties involved ingaining cooperation from local authorities to capture criminals inUkraine.